A remote code execution vulnerability discovered in Redis, the widely-used in-memory data structure store, has sent shockwaves through the cybersecurity community.
The flaw, designated CVE-2025-49844 and dubbed “RediShell” by researchers, carries the maximum CVSS 3.1 severity score of 10.0 and affects all Redis versions worldwide.
13-Year-Old Bug Creates Modern Security Crisis
Wiz Research uncovered this devastating vulnerability that exploits a Use-After-Free memory corruption bug embedded in Redis source code for approximately 13 years.
The flaw allows authenticated attackers to send specially crafted malicious Lua scripts that escape the Lua sandbox environment and achieve arbitrary native code execution on the Redis host system.
| CVE ID | Product | Vulnerability Type | Impact | Attack Vector | Authentication Required |
|---|---|---|---|---|---|
| CVE-2025-49844 | Redis (all versions) | Use-After-Free (UAF) Memory Corruption | Remote Code Execution (RCE) | Network | Yes (Post-auth) |
The vulnerability’s impact extends far beyond simple data breach scenarios.
Successful exploitation grants attackers complete control over the host system, enabling them to exfiltrate sensitive data, deploy ransomware or crypto miners, steal credentials including SSH keys and IAM tokens, and establish persistent backdoors for lateral movement throughout cloud environments.
What makes this vulnerability particularly alarming is Redis’s ubiquitous presence in modern infrastructure.
Security researchers estimate that Redis operates in approximately 75% of cloud environments, serving critical functions including caching, session management, and publish-subscribe messaging systems.
The vulnerability’s severity becomes even more concerning when examining current deployment practices.
Wiz Research analysis reveals approximately 330,000 Redis instances currently exposed to the internet, with about 60,000 of these installations lacking any authentication configuration whatsoever.
The official Redis container image, used by 57% of cloud environments according to the research, does not require authentication by default.
This widespread deployment pattern creates an especially dangerous scenario where internet-exposed, unauthenticated Redis instances become trivial targets for remote attackers.
Organizations operating Redis instances in internal networks face elevated risks as well. Many internal deployments prioritize convenience over security, often running without proper authentication mechanisms.
This creates opportunities for attackers who have already gained initial network access to exploit the vulnerability for lateral movement and privilege escalation.
The RediShell exploitation process follows a devastating attack chain. Initially, attackers send malicious Lua scripts targeting the use-after-free vulnerability.
These scripts successfully escape Redis’s Lua sandbox environment and achieve arbitrary code execution capabilities on the underlying host system.
Once system access is established, attackers can execute a comprehensive compromise strategy. This includes stealing authentication credentials such as SSH keys, IAM tokens, and certificates stored on the system.
Attackers frequently install malware, cryptocurrency miners, or establish reverse shells for persistent access.
Redis officially published a security advisory on October 3, 2025, alongside patched versions addressing the vulnerability.
The disclosure timeline shows the vulnerability was initially reported during Pwn2Own Berlin on May 16, 2025, highlighting the extended timeframe organizations had unknowingly operated with this critical flaw.
The CVE-2025-49844 vulnerability represents one of fewer than 300 vulnerabilities assigned the maximum CVSS score in the past year, making it the first Redis vulnerability rated as critical severity.
Organizations worldwide must treat this as an urgent security priority requiring immediate remediation efforts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
